Dustin D. Trammell

Simulating DDoS Attacks

February 27, 2009 by Dustin D. Trammell

Todd Manning and I have a new whitepaper available over at BreakingPoint on simulating Distributed Denial-of-Service (DDoS) attacks using the BreakingPoint product. You can read more about the paper in my BreakingPoint blog post, or just grab the paper here. If you’re a BreakingPoint customer, you’ll want the bundled version which comes with test cases and other supporting materials.

Tags: DDoS, DoS
Posted in attack, testing, whitepaper | Leave a Comment »

Review: The IDA Pro Book

February 12, 2009 by Dustin D. Trammell

When a book is so well-received by your peers as The IDA Pro Book has been, even if reverse engineering isn’t a huge part of what you do every day, you pretty much have to give it a read. The creator of IDA Pro, Ilfak Guilfanov, even recommends it himself for a number of reasons, calling it “the most thorough and accurate IDA Pro book.” Even though I don’t do a whole lot of reversing, I do use IDA on occasion, so I thought it in my best interests to read this book. Authored by Chris Eagle, a co-author of one of my favorite security books, Gray Hat Hacking, I had fairly high expectations. I was not disappointed.

Read the rest of this entry »

Tags: debugging, disassembly, hex-rays, ida pro, no starch press, rce, reverse engineering
Posted in book review, books, opinion, review | 1 Comment »

When Magic Lost It’s Magic

January 7, 2009 by Dustin D. Trammell

Most that know me know that I’m an avid gamer. I play video games, board games, card games, puzzles, pretty much anything I can get my hands on. Because I like puzzles and strategy games, I’ve regularly been asked what I think the most strategic game I’ve ever played is, and I’ve gotten more than the occasional odd look when I don’t respond with “Chess” or “Go”, but with “Magic: The Gathering“.

Read the rest of this entry »

Tags: CCG, D&D, Magic: The Gathering, strategy, TCG, Tenth Edition, TSR, Wizards of the Coast
Posted in gaming, opinion | 2 Comments »

MD5? Really?

January 7, 2009 by Dustin D. Trammell

First let me say that this article is not meant to diminish the work that Alexander Sotirov et. all have been doing for the past 6 months. It’s good work, has brought about some awesome results, and has demonstrated what was once a theoretical attack on PKI certificates based on MD5 hash collisions. What I’m amazed at is that it had the impact that it actually did.

Read the rest of this entry »

Tags: MD5, NIST, PKI, SHA-1, SHA-256, SHA-512, Skein, SSL, Verisign
Posted in attack, cryptography, hack, infrastructure security, opinion, security, vulnerability | 1 Comment »

The Folly of a Scheduled Patch Release Cycle

December 11, 2008 by Dustin D. Trammell

A number of years ago, Microsoft led the charge by moving away from a dynamic patch release schedule to a monthly patch release schedule, essentially creating an imposed monthly patch cycle for their customers. Since then, many other vendors have followed suit. There are opinions and arguments supporting both a release schedule philosophy as well as a release upon completion philosophy, and today I’m going to outline where I stand on the issue.

Read the rest of this entry »

Tags: breakingpoint, mcafee, microsoft, tippingpoint
Posted in endpoint security, exploit, hack, hpavc, infrastructure security, opinion, patch management, security, security research, software, vulnerability | 2 Comments »

The Problem With the Liberty Dollar

December 7, 2008 by Dustin D. Trammell

I’m not going to talk about their underlying quest to end the Federal Reserve (with which I wholeheartedly agree), or about their multi-site raid by the FBI last year where all of their current inventory and all of the metals backing the Liberty Dollar warehouse receipts (paper currency) were confiscated. No, I’m not going to talk about any of their politics or their legal troubles; what I am going to talk about is their currency model.

Read the rest of this entry »

Tags: bullion, currency, gold, liberty dollar, silver
Posted in economics, finance, opinion | 3 Comments »

Four-factor Authentication

November 21, 2008 by Dustin D. Trammell

It’s common understanding these days that the more factors of identification that a user has to provide to an authentication system, the more trustworthy and secure it likely is. Single-factor authentication is usually accomplished by providing something you know, like a password or PIN number.

As two-factor authentication became more and more mainstream, the two factors involved have usually been something you know, and something you have, like a credit card, crypto-key USB device, a code generated every so often by a electronic card you keep in your wallet, a smart-card that can respond directly to cryptographic challenges, or an RFID or other radio device. The most common use of two-factor authentication is how bank customers authenticate to an ATM machine; they must provide something they have, their bank card, and something they know, it’s PIN.

As cheap ways to collect biometrics have begun to emerge, these two factors have begun to shift from something you know and something you have, to something you know and something you are. This notion of something you are, generally referred to as biometrics, include things like your finger or palm print, iris pattern, voice print, or even your DNA. Using something you are to authenticate is obviously more inexpensive than providing users with something they need to have, however some more advanced authentication systems now require all three-factors for authentication.

Enter the fourth factor of authentication: somewhere you are.

Read the rest of this entry »

Posted in account security, authentication, biometrics, hardware, passwords, security, technology | 3 Comments »

How NOT to Write a Protocol Specification

November 17, 2008 by Dustin D. Trammell

For the last week or so, I’ve been tasked with implementing Application Simulators in the BreakingPoint product for the OWAMP and TWAMP protocols, RFC 4656 and RFC 5357, respectively. These are honestly two of the most poorly written protocol specifications that I’ve ever read. Luckily, they’re rather short. Not only are many parts vague and ambiguous, but some parts read like a stream-of-consciousness dump directly to a text editor.

Read the rest of this entry »

Tags: specification
Posted in opinion, rant | Leave a Comment »

What, no ToorCon???

September 30, 2008 by Dustin D. Trammell

So apparently quite a few people have come to expect and enjoy my summaries of conferences I’ve attended, because I’ve already gotten a number of inquiries as to why I haven’t yet posted about this last weekend’s ToorCon. In short, it’s because I wasn’t there!

Read the rest of this entry »

Posted in Personal, conference, family, video games | Leave a Comment »

(In)Security Questions

September 18, 2008 by Dustin D. Trammell

A number of years ago, as the Internet became more and more mainstream, websites and web services began to push to the forefront of online business and society. This generally required allowing users to create accounts with these increasingly complex sites and services, and thus, the entities providing them had to then manage those accounts. In these early days, such user accounts began to be compromised due to their easily guessable or brute-forceable passwords, so nowadays most sites require users to use relatively complex passwords. Humans are simply not good at remembering such things, and customer service expenses soon skyrocketed under the flood of users constantly requesting password resets to regain access to their accounts. The business solution to this? Let the users reset the passwords themselves!

Read the rest of this entry »

Posted in account security, hack, passwords, security | Leave a Comment »

Personal

Service

a

Archives